Re: Synology Disk DS211J
On Thu, Sep 29, 2011 at 07:10:10PM -0700, Joel jaeggli wrote: > On 9/29/11 17:46 , Robert Bonomi wrote: > >> From: Nathan Eisenberg > >> Subject: RE: Synology Disk DS211J > >> Date: Thu, 29 Sep 2011 21:58:23 + > >> > >>> And this is why the prudent home admin runs a firewall device he or she > >>> can trust, and has a "default deny" rule in place even for outgoing > >>> connections. > >>> > >>> - Matt > >>> > >>> > >> > >> The prudent home admin has a default deny rule for outgoing HTTP to port > >> 80? I doubt it. > >> > > > > No, the prudent nd knowledgable prudent home admin does not have default > > deny > > rule just for outgoing HTTP to port 80. > > > > He has a defult deny rule for _everything_. Every internal source > > address, > > and every destination port. Then he pokes holes in that 'deny everything' > > for specific machines to make the kinds of external connections that _they_ > > need to make. > > Tell me how that flys with the customers in your household... Perfectly fine. My users know not to go plugging random devices in, and I properly configure the firewall to account for all legitimate traffic before the device is commissioned. - Matt
Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header
On Fri, 30 Sep 2011, Christopher Morrow wrote: If you do nothing the default behavior is to send the packet to the RP... why? (why would you want this packet sent to the RP? it's got a valid destination, no? so deliver it out the egress interface?) I was told it's because PFC3B can't look into the packet far enough to determine what the payload is (TCP/UDP etc) and port, that's only the RP that can do ACL handling of the packet. So if you configure "forward", people can put a fragmentation header on the packet and skip past your ACL. -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header
On Fri, Sep 30, 2011 at 1:07 AM, Mikael Abrahamsson wrote: > > Just thought I'd share some operational info. > > PFC3B will by default punt IPv6 packets with fragmentation header to RP and > route them there, with the obvious performance penalty this incurs. when will vendors learn that punting to the RE/RP/smarts for packets in the fastpath is ... not just 'unwise' but wholesale stupid? :( > > Workaround is to change this behaviour, meaning ACLs won't work for packets > with fragmentation header anymore: > > #platform ipv6 acl fragment hardware ? > drop Drop IPv6 fragments at hardware > forward Forward IPv6 fragments at hardware > your recommendation is to ... forward? (or perhaps not 'recommendation' but: "Forward means do not pass go, just ship out the proper egress interface. drop means ... send to hell" If you do nothing the default behavior is to send the packet to the RP... why? (why would you want this packet sent to the RP? it's got a valid destination, no? so deliver it out the egress interface?) thanks! -chris > PFC3C is supposed to not be affected. > > A lot of Teredo and 6to4 traffic has fragmentation headers, so this actually > is a real problem. We discovered this at our Teredo relay upstream router. > > -- > Mikael Abrahamsson email: swm...@swm.pp.se > >
Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header
Just thought I'd share some operational info. PFC3B will by default punt IPv6 packets with fragmentation header to RP and route them there, with the obvious performance penalty this incurs. Workaround is to change this behaviour, meaning ACLs won't work for packets with fragmentation header anymore: #platform ipv6 acl fragment hardware ? drop Drop IPv6 fragments at hardware forward Forward IPv6 fragments at hardware PFC3C is supposed to not be affected. A lot of Teredo and 6to4 traffic has fragmentation headers, so this actually is a real problem. We discovered this at our Teredo relay upstream router. -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: Synology Disk DS211J
On Thu, Sep 29, 2011 at 07:10:10PM -0700, Joel jaeggli wrote: > On 9/29/11 17:46 , Robert Bonomi wrote: > >> From: Nathan Eisenberg > >> Subject: RE: Synology Disk DS211J > >> Date: Thu, 29 Sep 2011 21:58:23 + > >> > >>> And this is why the prudent home admin runs a firewall device he or she > >>> can trust, and has a "default deny" rule in place even for outgoing > >>> connections. > >>> > >>> - Matt > >>> > >>> > >> > >> The prudent home admin has a default deny rule for outgoing HTTP to port > >> 80? I doubt it. > >> > > > > No, the prudent nd knowledgable prudent home admin does not have default > > deny > > rule just for outgoing HTTP to port 80. > > > > He has a defult deny rule for _everything_. Every internal source > > address, > > and every destination port. Then he pokes holes in that 'deny everything' > > for specific machines to make the kinds of external connections that _they_ > > need to make. > > Tell me how that flys with the customers in your household... > They are freeloaders, not customers. If they -PAID- for service, then it would be a different conversation. /bill
Re: Synology Disk DS211J
On 9/29/11 17:46 , Robert Bonomi wrote: >> From: Nathan Eisenberg >> Subject: RE: Synology Disk DS211J >> Date: Thu, 29 Sep 2011 21:58:23 + >> >>> And this is why the prudent home admin runs a firewall device he or she >>> can trust, and has a "default deny" rule in place even for outgoing >>> connections. >>> >>> - Matt >>> >>> >> >> The prudent home admin has a default deny rule for outgoing HTTP to port >> 80? I doubt it. >> > > No, the prudent nd knowledgable prudent home admin does not have default deny > rule just for outgoing HTTP to port 80. > > He has a defult deny rule for _everything_. Every internal source address, > and every destination port. Then he pokes holes in that 'deny everything' > for specific machines to make the kinds of external connections that _they_ > need to make. Tell me how that flys with the customers in your household... > Blocking outgoing port 80, _except_ from an internal proxy server, is not > necessrily a bad idea. If the legitimte web clients are all configured > to use the proxy server, then _direct_ external connection attempts are > an indication that something "not so legitimate" may be runningunning. > > > >
RE: Synology Disk DS211J
> From: Nathan Eisenberg > Subject: RE: Synology Disk DS211J > Date: Thu, 29 Sep 2011 21:58:23 + > > > And this is why the prudent home admin runs a firewall device he or she > > can trust, and has a "default deny" rule in place even for outgoing > > connections. > > > > - Matt > > > > > > The prudent home admin has a default deny rule for outgoing HTTP to port > 80? I doubt it. > No, the prudent nd knowledgable prudent home admin does not have default deny rule just for outgoing HTTP to port 80. He has a defult deny rule for _everything_. Every internal source address, and every destination port. Then he pokes holes in that 'deny everything' for specific machines to make the kinds of external connections that _they_ need to make. Blocking outgoing port 80, _except_ from an internal proxy server, is not necessrily a bad idea. If the legitimte web clients are all configured to use the proxy server, then _direct_ external connection attempts are an indication that something "not so legitimate" may be runningunning.
RE: Synology Disk DS211J
Or, open those specific ports as needed, then close. PITA though (pain in the @ss) -Original Message- From: Jones, Barry [mailto:bejo...@semprautilities.com] Sent: Thursday, September 29, 2011 4:14 PM To: 'Matthew Palmer'; nanog@nanog.org Subject: RE: Synology Disk DS211J Yep! -Original Message- From: Matthew Palmer [mailto:mpal...@hezmatt.org] Sent: Thursday, September 29, 2011 2:31 PM To: nanog@nanog.org Subject: Re: Synology Disk DS211J On Thu, Sep 29, 2011 at 12:11:48PM -0700, Jones, Barry wrote: > A little off topic, but wanted to share... I purchased a home storage > Synology DS1511+. After configuring it on the home net, I did some > captures to look at the protocols, and noticed that the DS1511+ is > making outgoing connections to 59.124.41.242 (www) and 59.124.41.245 > (port 81 & > 89) on a regular basis. These addresses are owned by Synology and > Chungwa Telecom in Taiwan. And this is why the prudent home admin runs a firewall device he or she can trust, and has a "default deny" rule in place even for outgoing connections. - Matt
RE: Synology Disk DS211J
Yep! -Original Message- From: Matthew Palmer [mailto:mpal...@hezmatt.org] Sent: Thursday, September 29, 2011 2:31 PM To: nanog@nanog.org Subject: Re: Synology Disk DS211J On Thu, Sep 29, 2011 at 12:11:48PM -0700, Jones, Barry wrote: > A little off topic, but wanted to share... I purchased a home storage > Synology DS1511+. After configuring it on the home net, I did some > captures to look at the protocols, and noticed that the DS1511+ is > making outgoing connections to 59.124.41.242 (www) and 59.124.41.245 > (port 81 & > 89) on a regular basis. These addresses are owned by Synology and > Chungwa Telecom in Taiwan. And this is why the prudent home admin runs a firewall device he or she can trust, and has a "default deny" rule in place even for outgoing connections. - Matt
Re: Synology Disk DS211J
- Original Message - > From: "Nathan Eisenberg" > > And this is why the prudent home admin runs a firewall device he or she can > > trust, and has a "default deny" rule in place even for outgoing connections. > > The prudent home admin has a default deny rule for outgoing HTTP to > port 80? I doubt it. Why not? You can poke holes in it specific to *workstations*; anything that isn't a workstation doesn't generally need to be phoning home without you knowing about it... Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
RE: Synology Disk DS211J
> And this is why the prudent home admin runs a firewall device he or she can > trust, and has a "default deny" rule in place even for outgoing connections. > > - Matt > > The prudent home admin has a default deny rule for outgoing HTTP to port 80? I doubt it.
Re: Synology Disk DS211J
On Thu, Sep 29, 2011 at 12:11:48PM -0700, Jones, Barry wrote: > A little off topic, but wanted to share... I purchased a home storage > Synology DS1511+. After configuring it on the home net, I did some > captures to look at the protocols, and noticed that the DS1511+ is making > outgoing connections to 59.124.41.242 (www) and 59.124.41.245 (port 81 & > 89) on a regular basis. These addresses are owned by Synology and Chungwa > Telecom in Taiwan. And this is why the prudent home admin runs a firewall device he or she can trust, and has a "default deny" rule in place even for outgoing connections. - Matt
Re: Cisco switch LACP + 802.1q
Thanks for all the suggestions. I added the "switchport mode trunk" to the interfaces, and it did start working properly after a reload of the switch. Before the reboot, it would not work. -Randy - Original Message - > > I am tearing my hair out with an issue, and I hope someone can point > something out to me that I am missing. > > I am setting up 2-port LACP sets on a Cisco 2960G-24TS-L, which then > need to be 802.1q trunk ports. > > I have set it up as follows: > > interface Port-channel1 > switchport mode trunk > ! > interface Port-channel2 > switchport mode trunk > ! > interface Port-channel3 > switchport mode trunk > ! > interface Port-channel4 > switchport mode trunk > ! > interface GigabitEthernet0/1 > channel-protocol lacp > channel-group 1 mode active > ! > interface GigabitEthernet0/2 > channel-protocol lacp > channel-group 1 mode active > ! > interface GigabitEthernet0/3 > channel-protocol lacp > channel-group 2 mode active > ! > interface GigabitEthernet0/4 > channel-protocol lacp > channel-group 2 mode active > ! > interface GigabitEthernet0/5 > channel-protocol lacp > channel-group 3 mode active > ! > interface GigabitEthernet0/6 > channel-protocol lacp > channel-group 3 mode active > ! > interface GigabitEthernet0/7 > switchport mode trunk > channel-protocol lacp > channel-group 4 mode active > ! > interface GigabitEthernet0/8 > switchport mode trunk > channel-protocol lacp > channel-group 4 mode active > > > The problem is that after some period of time (sometimes minutes, > sometimes hours), port-channel1 loses the "switchport mode trunk" > > It just disappears from the config. If I try to put it back, it adds > "switchport mode trunk" to the member ports (Gi0/1, Gi0/2) as well, > which does not work. I have to tear it all out and start again. It > will then work for a while again. > > port-channel2 and port-channel3 are not in use yet, but port-channel4 > is, and works just fine. > > It is running IOS 15.0(1)SE. It was running 12.2 before, and it was > doing the same thing, so I upgraded it to the latest available. > > What could be the issue? > > thanks, > -Randy >
Re: Synology Disk DS211J
In a message written on Thu, Sep 29, 2011 at 12:11:48PM -0700, Jones, Barry wrote: > A little off topic, but wanted to share... I purchased a home storage > Synology DS1511+. After configuring it on the home net, I did some captures > to look at the protocols, and noticed that the DS1511+ is making outgoing > connections to 59.124.41.242 (www) and 59.124.41.245 (port 81 & 89) on a > regular basis. These addresses are owned by Synology and Chungwa Telecom in > Taiwan. > > So far, I've not been able to find much information on their support sites, > or Synology's wiki, but I wanted to put it out there. > > GET / HTTP/1.1 > Host: 59.124.41.245:81 > Accept: */* Perhaps a little further digging was in order? For instance, putting the IP and port in a web browser (http://59.124.41.245:81) which returns: Current IP CheckCurrent IP Address: REDACTED Looking at Synology's web page we find: http://www.synology.com/dsm/internet_connection.php?lang=us If they are going to do things like UPNP to open a port, and then DDNS to let you get there from the outside world than the box needs to know your outside NAT address, and simple relays like this are the best bet. It's another ugly hack to get around the problems of a NAT in the middle. I bet the box also checks for a new version of software from time to time. While I would like vendors to better disclose the "phone home" behavior of their devices, virtually every computing device does this in some way or another if only to check for new software. Windows and Mac's check a web server to know if you are "connected to the internet" or not. NAT traversal often uses a relay. DDNS registrations need the real IP, and so on. Not much to see here, really, other than how ugly some of our protocols are in the real world. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ pgpvnsTqkv2ad.pgp Description: PGP signature
Synology Disk DS211J
Hey all. A little off topic, but wanted to share... I purchased a home storage Synology DS1511+. After configuring it on the home net, I did some captures to look at the protocols, and noticed that the DS1511+ is making outgoing connections to 59.124.41.242 (www) and 59.124.41.245 (port 81 & 89) on a regular basis. These addresses are owned by Synology and Chungwa Telecom in Taiwan. So far, I've not been able to find much information on their support sites, or Synology's wiki, but I wanted to put it out there. GET / HTTP/1.1 Host: 59.124.41.245:81 Accept: */* HTTP/1.1 200 OK Date: Thu, 22 Sep 2011 00:11:00 GMT Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0c PHP/5.3.3 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 103 Content-Type: text/html Barry Jones - CISSP GSNA Project Manager Sempra Energy Utilities www.sempra.com (760) 271-6822 P please don't print this e-mail unless you really need to. The content contained in this electronic message is not intended to constitute formation of a contract binding Sempra Energy. Sempra Energy will be contractually bound only upon execution, by an authorized officer, of a contract including agreed terms and conditions or by express application of its tariffs. This message is intended only for the use of the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender of this E-Mail or by telephone.
Re: Cisco switch LACP + 802.1q
My limited understanding and experience with port-channels is that the member port configurations need to match the port channel configuration, at least with respect to 'switchport mode trunk', 'switchport trunk encapsulation' and 'switchport trunk allowed vlan'. This is between a 6500 and a WLC4404, so your mileage will obviously vary. What does the configuration look on the device that is connected to the 2960? Jason On Thu, Sep 29, 2011 at 1:33 PM, Randy Carpenter wrote: > > I am tearing my hair out with an issue, and I hope someone can point > something out to me that I am missing. > > I am setting up 2-port LACP sets on a Cisco 2960G-24TS-L, which then need to > be 802.1q trunk ports. > > I have set it up as follows: > > interface Port-channel1 > switchport mode trunk > ! > interface Port-channel2 > switchport mode trunk > ! > interface Port-channel3 > switchport mode trunk > ! > interface Port-channel4 > switchport mode trunk > ! > interface GigabitEthernet0/1 > channel-protocol lacp > channel-group 1 mode active > ! > interface GigabitEthernet0/2 > channel-protocol lacp > channel-group 1 mode active > ! > interface GigabitEthernet0/3 > channel-protocol lacp > channel-group 2 mode active > ! > interface GigabitEthernet0/4 > channel-protocol lacp > channel-group 2 mode active > ! > interface GigabitEthernet0/5 > channel-protocol lacp > channel-group 3 mode active > ! > interface GigabitEthernet0/6 > channel-protocol lacp > channel-group 3 mode active > ! > interface GigabitEthernet0/7 > switchport mode trunk > channel-protocol lacp > channel-group 4 mode active > ! > interface GigabitEthernet0/8 > switchport mode trunk > channel-protocol lacp > channel-group 4 mode active > > > The problem is that after some period of time (sometimes minutes, sometimes > hours), port-channel1 loses the "switchport mode trunk" > > It just disappears from the config. If I try to put it back, it adds > "switchport mode trunk" to the member ports (Gi0/1, Gi0/2) as well, which > does not work. I have to tear it all out and start again. It will then work > for a while again. > > port-channel2 and port-channel3 are not in use yet, but port-channel4 is, and > works just fine. > > It is running IOS 15.0(1)SE. It was running 12.2 before, and it was doing the > same thing, so I upgraded it to the latest available. > > What could be the issue? > > thanks, > -Randy > >
LACP between Riverstone RS8000 and Cisco ASX9000
This is my first post to Nanog. I apologize if it is off-topic but I have been driving myself crazy trying to figure this out. Is anyone familiar with configuring LACP between Riverstone RS8000 (Running ROS 9.4.0.4) and a Cisco ASX9000. I am attempting to bring in 2 Gigabit Fiber links from NTT and bond them using LACP we will be using these links for a full BGP feed. Any help would be appreciated, replies on or off list are alright with me. -- Regards, Christopher Young Network Operations InterMetro Communications, Inc. 805-433-8000 Main 805-433-0050 Direct 805-433-2589 Mobile 805-582-1006 Fax *** Contact our NOC at 866-446-2662 or via email 'network.operati...@intermetro.net' *** *** The information contained within this E-Mail and any attached document(s) is confidential and/or privileged. It is intended solely for the use of the addressee(s) named above. Unauthorized disclosure, photocopying, distribution or use of the information contained herein is prohibited. If you believe that you have received this E-Mail in error, please notify the sender by reply transmission or call 805-433-8000 and delete the message without reviewing, copying or disclosing the message, any attachments or any contents thereof.
Cisco switch LACP + 802.1q
I am tearing my hair out with an issue, and I hope someone can point something out to me that I am missing. I am setting up 2-port LACP sets on a Cisco 2960G-24TS-L, which then need to be 802.1q trunk ports. I have set it up as follows: interface Port-channel1 switchport mode trunk ! interface Port-channel2 switchport mode trunk ! interface Port-channel3 switchport mode trunk ! interface Port-channel4 switchport mode trunk ! interface GigabitEthernet0/1 channel-protocol lacp channel-group 1 mode active ! interface GigabitEthernet0/2 channel-protocol lacp channel-group 1 mode active ! interface GigabitEthernet0/3 channel-protocol lacp channel-group 2 mode active ! interface GigabitEthernet0/4 channel-protocol lacp channel-group 2 mode active ! interface GigabitEthernet0/5 channel-protocol lacp channel-group 3 mode active ! interface GigabitEthernet0/6 channel-protocol lacp channel-group 3 mode active ! interface GigabitEthernet0/7 switchport mode trunk channel-protocol lacp channel-group 4 mode active ! interface GigabitEthernet0/8 switchport mode trunk channel-protocol lacp channel-group 4 mode active The problem is that after some period of time (sometimes minutes, sometimes hours), port-channel1 loses the "switchport mode trunk" It just disappears from the config. If I try to put it back, it adds "switchport mode trunk" to the member ports (Gi0/1, Gi0/2) as well, which does not work. I have to tear it all out and start again. It will then work for a while again. port-channel2 and port-channel3 are not in use yet, but port-channel4 is, and works just fine. It is running IOS 15.0(1)SE. It was running 12.2 before, and it was doing the same thing, so I upgraded it to the latest available. What could be the issue? thanks, -Randy
Re: facebook spying on us?
Well what's making the connection? It looks like unencrypted http, if your social security number and last known addresses are streaming by you should be able to see them. It's a bit of a jump to say that FB (not that I'm particularly fond of them) is spying on you from a single netstat command. You probably clicked login with facebook for some site and it's just autologging you in or overzealous prefetching. Either way, I think we can all stop making tinfoil hats now... 2011/9/29 Glen Kent > Hi, > > I see that i have multiple TCP sessions established with facebook. > They come up even after i reboot my laptop and dont login to facebook! > > D:\Documents and Settings\gkent>netstat -a | more > > Active Connections > > Proto Local Address Foreign AddressState > TCPgkent:3974www-10-02-snc5.facebook.com:http ESTABLISHED > TCPgkent:3977www-11-05-prn1.facebook.com:http ESTABLISHED > TCPgkent:3665 > a184-84-111-139.deploy.akamaitechnologies.com:http ESTABLISHED > > [clipped] > > Any idea why these connections are established (with facebook and > akamaitechnologies) and how i can kill them? Since my laptop has > several connections open with facebook, what kind of information is > flowing there? > > I also wonder about the kind of servers facebook must be having to be > able to manage millions of TCP connections that must be terminating > there. > > Glen > > >
Re: facebook spying on us?
On Thu, Sep 29, 2011 at 06:43:49PM +0530, Glen Kent wrote: :Hi, : :I see that i have multiple TCP sessions established with facebook. :They come up even after i reboot my laptop and dont login to facebook! : :D:\Documents and Settings\gkent>netstat -a | more : :Active Connections : : Proto Local Address Foreign AddressState : TCPgkent:3974www-10-02-snc5.facebook.com:http ESTABLISHED : TCPgkent:3977www-11-05-prn1.facebook.com:http ESTABLISHED : TCPgkent:3665 :a184-84-111-139.deploy.akamaitechnologies.com:http ESTABLISHED : :[clipped] : :Any idea why these connections are established (with facebook and :akamaitechnologies) and how i can kill them? Since my laptop has :several connections open with facebook, what kind of information is :flowing there? : :I also wonder about the kind of servers facebook must be having to be :able to manage millions of TCP connections that must be terminating :there. : :Glen : For the more paranoid open source users, I have found using the xxxterm web browser to help quite a bit. You can read about it at http://www.xxxterm.org
Re: facebook spying on us?
Install Ghostery on your browsers and you'll see even more connections pages want to make behind the scenes to tracking sites etc. It's not just javascript. Greg On Sep 29, 2011, at 8:57 AM, valdis.kletni...@vt.edu wrote: > On Thu, 29 Sep 2011 18:43:49 +0530, Glen Kent said: >> Any idea why these connections are established (with facebook and >> akamaitechnologies) and how i can kill them? Since my laptop has >> several connections open with facebook, what kind of information is >> flowing there? > > Probably you visited other pages that have links to Facebook on them. Try > installing NoScript or similar in your browser and don't allow Facebook > javascript, > and see if these connections evaporate. > > Akamai is a content-caching service, just means somebody paid to have their > content be (hopefully) nearer to you network-wise. > >> I also wonder about the kind of servers facebook must be having to be >> able to manage millions of TCP connections that must be terminating >> there. > > Two words: Big Honkin' Load Balancers. OK, maybe more than two words. ;) >
RE: facebook spying on us?
At least on a win 7 box, netstat -b gives the process that initiated the connection. Likely opened due to a link or something from some other web page. -Original Message- From: Patrick Muldoon [mailto:doon.b...@inoc.net] Sent: Thursday, September 29, 2011 9:25 AM To: Glen Kent Cc: nanog@nanog.org Subject: Re: facebook spying on us? On Sep 29, 2011, at 9:13 AM, Glen Kent wrote: > Hi, > > I see that i have multiple TCP sessions established with facebook. > They come up even after i reboot my laptop and dont login to facebook! > > D:\Documents and Settings\gkent>netstat -a | more > > Active Connections > > Proto Local Address Foreign AddressState > TCPgkent:3974www-10-02-snc5.facebook.com:http ESTABLISHED > TCPgkent:3977www-11-05-prn1.facebook.com:http ESTABLISHED > TCPgkent:3665 > a184-84-111-139.deploy.akamaitechnologies.com:http ESTABLISHED > > [clipped] > > Any idea why these connections are established (with facebook and > akamaitechnologies) and how i can kill them? Since my laptop has > several connections open with facebook, what kind of information is > flowing there? > Use a sniffer like wireshark, and see what the traffic is? Are you using a chat program that supports facebook chat? Or perhaps a game or an application that uses facebook for something? Really it could be anything as there are lots of applications that have grown up around the Facebook Eco system.. Also are you browsing the web? There are facebook like buttons and the such all over the web. So you don't even need to be logged in or have visited yet after the reboot. > I also wonder about the kind of servers facebook must be having to be > able to manage millions of TCP connections that must be terminating > there. Lots of them. There is video of their new DC floating around that shows them.. http://www.datacenterknowledge.com/archives/2011/04/18/video-inside-face books-server-room/ -Patrick -- Patrick Muldoon Network/Software Engineer INOC (http://www.inoc.net) PGPKEY (http://www.inoc.net/~doon) Key ID: 0x370D752C Base 8 is just like base 10, if you are missing two fingers. - Tom Lehrer
Re: facebook spying on us?
On Thu, 29 Sep 2011 18:43:49 +0530, Glen Kent said: > Any idea why these connections are established (with facebook and > akamaitechnologies) and how i can kill them? Since my laptop has > several connections open with facebook, what kind of information is > flowing there? Probably you visited other pages that have links to Facebook on them. Try installing NoScript or similar in your browser and don't allow Facebook javascript, and see if these connections evaporate. Akamai is a content-caching service, just means somebody paid to have their content be (hopefully) nearer to you network-wise. > I also wonder about the kind of servers facebook must be having to be > able to manage millions of TCP connections that must be terminating > there. Two words: Big Honkin' Load Balancers. OK, maybe more than two words. ;) pgphRVaM15ZYI.pgp Description: PGP signature
Re: facebook spying on us?
On Sep 29, 2011, at 9:13 AM, Glen Kent wrote: > Hi, > > I see that i have multiple TCP sessions established with facebook. > They come up even after i reboot my laptop and dont login to facebook! > > D:\Documents and Settings\gkent>netstat -a | more > > Active Connections > > Proto Local Address Foreign AddressState > TCPgkent:3974www-10-02-snc5.facebook.com:http ESTABLISHED > TCPgkent:3977www-11-05-prn1.facebook.com:http ESTABLISHED > TCPgkent:3665 > a184-84-111-139.deploy.akamaitechnologies.com:http ESTABLISHED > > [clipped] > > Any idea why these connections are established (with facebook and > akamaitechnologies) and how i can kill them? Since my laptop has > several connections open with facebook, what kind of information is > flowing there? > Use a sniffer like wireshark, and see what the traffic is? Are you using a chat program that supports facebook chat? Or perhaps a game or an application that uses facebook for something? Really it could be anything as there are lots of applications that have grown up around the Facebook Eco system.. Also are you browsing the web? There are facebook like buttons and the such all over the web. So you don't even need to be logged in or have visited yet after the reboot. > I also wonder about the kind of servers facebook must be having to be > able to manage millions of TCP connections that must be terminating > there. Lots of them. There is video of their new DC floating around that shows them.. http://www.datacenterknowledge.com/archives/2011/04/18/video-inside-facebooks-server-room/ -Patrick -- Patrick Muldoon Network/Software Engineer INOC (http://www.inoc.net) PGPKEY (http://www.inoc.net/~doon) Key ID: 0x370D752C Base 8 is just like base 10, if you are missing two fingers. - Tom Lehrer
Re: facebook spying on us?
( Being this is a Windows box) Want to scare yourself silly? . Power off the PC; . Plug it a switch; . Mirror the PC port into a Unix box running Wireshark; . Boot the PC Enjoy all the info leakages from all the apps you installed over the years. - Alain Hebertaheb...@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.netFax: 514-990-9443 On 09/29/11 09:19, Eric Clark wrote: did you start your browser before looking at your connection list? However, you're on a window's box, so it wouldn't surprise me if they helpfully started ie for you If you didn't start the browser you use to go to facebook (and its not ie), its fairly interesting. On Sep 29, 2011, at 6:13 AM, Glen Kent wrote: Hi, I see that i have multiple TCP sessions established with facebook. They come up even after i reboot my laptop and dont login to facebook! D:\Documents and Settings\gkent>netstat -a | more Active Connections Proto Local Address Foreign AddressState TCPgkent:3974www-10-02-snc5.facebook.com:http ESTABLISHED TCPgkent:3977www-11-05-prn1.facebook.com:http ESTABLISHED TCPgkent:3665 a184-84-111-139.deploy.akamaitechnologies.com:http ESTABLISHED [clipped] Any idea why these connections are established (with facebook and akamaitechnologies) and how i can kill them? Since my laptop has several connections open with facebook, what kind of information is flowing there? I also wonder about the kind of servers facebook must be having to be able to manage millions of TCP connections that must be terminating there. Glen
Re: facebook spying on us?
Use 'netstat -ao' to see which process(es) they are associated with. Then use a sniffer to see what actual traffic they carry. Jason On Thu, Sep 29, 2011 at 9:13 AM, Glen Kent wrote: > Hi, > > I see that i have multiple TCP sessions established with facebook. > They come up even after i reboot my laptop and dont login to facebook! > > D:\Documents and Settings\gkent>netstat -a | more > > Active Connections > > Proto Local Address Foreign Address State > TCP gkent:3974 www-10-02-snc5.facebook.com:http ESTABLISHED > TCP gkent:3977 www-11-05-prn1.facebook.com:http ESTABLISHED > TCP gkent:3665 > a184-84-111-139.deploy.akamaitechnologies.com:http ESTABLISHED > > [clipped] > > Any idea why these connections are established (with facebook and > akamaitechnologies) and how i can kill them? Since my laptop has > several connections open with facebook, what kind of information is > flowing there? > > I also wonder about the kind of servers facebook must be having to be > able to manage millions of TCP connections that must be terminating > there. > > Glen > >
Re: facebook spying on us?
did you start your browser before looking at your connection list? However, you're on a window's box, so it wouldn't surprise me if they helpfully started ie for you If you didn't start the browser you use to go to facebook (and its not ie), its fairly interesting. On Sep 29, 2011, at 6:13 AM, Glen Kent wrote: > Hi, > > I see that i have multiple TCP sessions established with facebook. > They come up even after i reboot my laptop and dont login to facebook! > > D:\Documents and Settings\gkent>netstat -a | more > > Active Connections > > Proto Local Address Foreign AddressState > TCPgkent:3974www-10-02-snc5.facebook.com:http ESTABLISHED > TCPgkent:3977www-11-05-prn1.facebook.com:http ESTABLISHED > TCPgkent:3665 > a184-84-111-139.deploy.akamaitechnologies.com:http ESTABLISHED > > [clipped] > > Any idea why these connections are established (with facebook and > akamaitechnologies) and how i can kill them? Since my laptop has > several connections open with facebook, what kind of information is > flowing there? > > I also wonder about the kind of servers facebook must be having to be > able to manage millions of TCP connections that must be terminating > there. > > Glen >
Re: facebook spying on us?
Could be something related to the earlier cookie controversy that was discussed. I did dig too deeply into exactly what they were doing however. Chuck On Thu, Sep 29, 2011 at 9:13 AM, Glen Kent wrote: > Hi, > > I see that i have multiple TCP sessions established with facebook. > They come up even after i reboot my laptop and dont login to facebook! > > D:\Documents and Settings\gkent>netstat -a | more > > Active Connections > > Proto Local Address Foreign AddressState > TCPgkent:3974www-10-02-snc5.facebook.com:http ESTABLISHED > TCPgkent:3977www-11-05-prn1.facebook.com:http ESTABLISHED > TCPgkent:3665 > a184-84-111-139.deploy.akamaitechnologies.com:http ESTABLISHED > > [clipped] > > Any idea why these connections are established (with facebook and > akamaitechnologies) and how i can kill them? Since my laptop has > several connections open with facebook, what kind of information is > flowing there? > > I also wonder about the kind of servers facebook must be having to be > able to manage millions of TCP connections that must be terminating > there. > > Glen > >
facebook spying on us?
Hi, I see that i have multiple TCP sessions established with facebook. They come up even after i reboot my laptop and dont login to facebook! D:\Documents and Settings\gkent>netstat -a | more Active Connections Proto Local Address Foreign AddressState TCPgkent:3974www-10-02-snc5.facebook.com:http ESTABLISHED TCPgkent:3977www-11-05-prn1.facebook.com:http ESTABLISHED TCPgkent:3665 a184-84-111-139.deploy.akamaitechnologies.com:http ESTABLISHED [clipped] Any idea why these connections are established (with facebook and akamaitechnologies) and how i can kill them? Since my laptop has several connections open with facebook, what kind of information is flowing there? I also wonder about the kind of servers facebook must be having to be able to manage millions of TCP connections that must be terminating there. Glen